Re: [ovirt-users] 4.2 aaa LDAP setup issue

On Feb 13, 2018, at 12:11 AM, Ondra Machacek <omachace(a)redhat.com&gt; wrote: Hello, On 02/09/2018 08:17 PM, Jamie Lawrence wrote: > Hello, > I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working. > Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies: > [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389' > [ INFO ] Executing startTLS > [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} > [ ERROR ] Cannot connect using any of available options > "Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming. > I double-checked the cert with openssl; it is a valid, PEM-encoded cert. > Before I head in to the code, has anyone seen this? Looks like you have disallowed anonymous bind on your LDAP. We are trying to estabilish anonymous bind to test the connection.

I would recommend to try to do a manual configuration, the documentation is here: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/READ... Then in your /etc/ovirt-engine/aaa/profile1.properties add following line: pool.default.auth.type = simple